You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@httpd.apache.org by Jeff Trawick <tr...@gmail.com> on 2014/04/11 14:38:43 UTC

Mini-advisory on heartbeat bug on http://httpd.apache.org/ ?

SSL/TLS-enabled configurations of Apache HTTP Server with OpenSSL 1.0.1a-f
are vulnerable to CVE-2014-0160, the so called "Heartbleed Bug."

No Apache HTTP Server fix is needed to resolve this; no Apache HTTP Server
configuration change besides disabling SSL/TLS completely can resolve this.
Instead, a patch to OpenSSL, a rebuild of OpenSSL with the TLS Heartbeat
extension disabled, or an upgrade of OpenSSL to 1.0.1g or later is required.

If you obtain OpenSSL in binary form with or without Apache HTTP Server,
contact the supplier of the binary for resolution. If you build OpenSSL
yourself, refer to the OpenSSL project for further information, including
the advisory at http://www.openssl.org/news/secadv_20140407.txt .


XXXX

Have binaries which included an affected level of OpenSSL ever been
distributed from our site?

I don't see anything from the release/httpd/binaries/win32 directory in the
output of svn log -v | grep openssl . (Is that the right check?)

-- 
Born in Roswell... married an alien...
http://emptyhammock.com/
http://edjective.org/

Re: Mini-advisory on heartbeat bug on http://httpd.apache.org/ ?

Posted by Jeff Trawick <tr...@gmail.com>.

On Fri, Apr 11, 2014 at 8:38 AM, Jeff Trawick <tr...@gmail.com> wrote:

> SSL/TLS-enabled configurations of Apache HTTP Server with OpenSSL 1.0.1a-f
> are vulnerable to CVE-2014-0160, the so called "Heartbleed Bug."
>
> No Apache HTTP Server fix is needed to resolve this; no Apache HTTP Server
> configuration change besides disabling SSL/TLS completely can resolve this.
> Instead, a patch to OpenSSL, a rebuild of OpenSSL with the TLS Heartbeat
> extension disabled, or an upgrade of OpenSSL to 1.0.1g or later is required.
>

"SSLv2 and SSLv3 are not vulnerable to CVE-2014-0160, but limiting the
configuration to one or both of those protocols is not recommended for
other reasons."


>
> If you obtain OpenSSL in binary form with or without Apache HTTP Server,
> contact the supplier of the binary for resolution. If you build OpenSSL
> yourself, refer to the OpenSSL project for further information, including
> the advisory at http://www.openssl.org/news/secadv_20140407.txt .
>
>
> XXXX
>
> Have binaries which included an affected level of OpenSSL ever been
> distributed from our site?
>
> I don't see anything from the release/httpd/binaries/win32 directory in
> the output of svn log -v | grep openssl . (Is that the right check?)
>
> --
> Born in Roswell... married an alien...
> http://emptyhammock.com/
> http://edjective.org/
>
>


-- 
Born in Roswell... married an alien...
http://emptyhammock.com/
http://edjective.org/

Re: Mini-advisory on heartbeat bug on http://httpd.apache.org/ ?

Posted by Jeff Trawick <tr...@gmail.com>.

On Fri, Apr 11, 2014 at 12:47 PM, Rainer Jung <ra...@kippdata.de>wrote:

> On 11.04.2014 18:05, Jeff Trawick wrote:
> > On Fri, Apr 11, 2014 at 10:18 AM, Jeff Trawick <trawick@gmail.com
> > <ma...@gmail.com>> wrote:
> >
> >     On Fri, Apr 11, 2014 at 8:56 AM, Rainer M. Canavan
> >     <rainer.canavan@sevenval.com <ma...@sevenval.com>>
> >     wrote:
> >
> >
> >         On Apr 11, 2014, at 14:38 , Jeff Trawick <trawick@gmail.com
> >         <ma...@gmail.com>> wrote:
> >
> >         > SSL/TLS-enabled configurations of Apache HTTP Server with
> >         OpenSSL 1.0.1a-f are vulnerable to CVE-2014-0160, the so called
> >         "Heartbleed Bug."
>
> Before 1.0.1a there was 1.0.1 (without a letter) and I expect that
> version was already vulnerable. So maybe "OpenSSL 1.0.1 up to 1.0.1f" or
> similar.
>
> One might also want to explicitely state that "Any OpenSSL version
> smaller than 1.0.1 is not vulnerable.". That takes away the uncertainty,
> whether the advisory only cares about the recent version or left out the
> older ones deliberately. The term "earlier" instead of "smaller" would
> be again misleading, because version number counts, not release date. Oh
> my.
>
> Regards,
>
> Rainer
>
>
Fixed on blog (thanks!)

-- 
Born in Roswell... married an alien...
http://emptyhammock.com/
http://edjective.org/

Re: Mini-advisory on heartbeat bug on http://httpd.apache.org/ ?

Posted by Rainer Jung <ra...@kippdata.de>.

On 11.04.2014 18:05, Jeff Trawick wrote:
> On Fri, Apr 11, 2014 at 10:18 AM, Jeff Trawick <trawick@gmail.com
> <ma...@gmail.com>> wrote:
> 
>     On Fri, Apr 11, 2014 at 8:56 AM, Rainer M. Canavan
>     <rainer.canavan@sevenval.com <ma...@sevenval.com>>
>     wrote:
> 
> 
>         On Apr 11, 2014, at 14:38 , Jeff Trawick <trawick@gmail.com
>         <ma...@gmail.com>> wrote:
> 
>         > SSL/TLS-enabled configurations of Apache HTTP Server with
>         OpenSSL 1.0.1a-f are vulnerable to CVE-2014-0160, the so called
>         "Heartbleed Bug."

Before 1.0.1a there was 1.0.1 (without a letter) and I expect that
version was already vulnerable. So maybe "OpenSSL 1.0.1 up to 1.0.1f" or
similar.

One might also want to explicitely state that "Any OpenSSL version
smaller than 1.0.1 is not vulnerable.". That takes away the uncertainty,
whether the advisory only cares about the recent version or left out the
older ones deliberately. The term "earlier" instead of "smaller" would
be again misleading, because version number counts, not release date. Oh my.

Regards,

Rainer

Re: Mini-advisory on heartbeat bug on http://httpd.apache.org/ ?

Posted by Jeff Trawick <tr...@gmail.com>.

On Fri, Apr 11, 2014 at 10:18 AM, Jeff Trawick <tr...@gmail.com> wrote:

> On Fri, Apr 11, 2014 at 8:56 AM, Rainer M. Canavan <
> rainer.canavan@sevenval.com> wrote:
>
>>
>> On Apr 11, 2014, at 14:38 , Jeff Trawick <tr...@gmail.com> wrote:
>>
>> > SSL/TLS-enabled configurations of Apache HTTP Server with OpenSSL
>> 1.0.1a-f are vulnerable to CVE-2014-0160, the so called "Heartbleed Bug."
>> >
>> > No Apache HTTP Server fix is needed to resolve this; no Apache HTTP
>> Server configuration change besides disabling SSL/TLS completely can
>> resolve this.  Instead, a patch to OpenSSL, a rebuild of OpenSSL with the
>> TLS Heartbeat extension disabled, or an upgrade of OpenSSL to 1.0.1g or
>> later is required.
>> >
>> > If you obtain OpenSSL in binary form with or without Apache HTTP
>> Server, contact the supplier of the binary for resolution.  If you build
>> OpenSSL yourself, refer to the OpenSSL project for further information,
>> including the advisory at http://www.openssl.org/news/secadv_20140407.txt.
>>
>> mod_spdy comes bundled with a script that builds mod_ssl.so with a
>> statically linked
>> OpenSSL. Other people may have done the same, or even with a mod_ssl
>> built statically
>> into apache. For those, just updating OpenSSL may be insufficient to fix
>> the heartbleed
>> bug.
>>
>> rainer
>
>
>
> Hmmm...  mod_ssl could be linked statically with OpenSSL, mod_spdy or not.
>  Yeah it is more complicated, but that makes it even more useful to explain.
>
> --/--
>
> httpd and mod_ssl must be rebuilt with the new OpenSSL when OpenSSL is
> statically linked with mod_ssl.  Note:  The build of mod_spdy may rebuild
> mod_ssl in this manner.
>
> If you are using a commercial product based on Apache HTTP Server, consult
> the vendor for information about the applicability of CVE-2014-0160 to
> your server.  If you are otherwise using mod_ssl or a replacement for it
> from a third party, consult the third party for more information.  If your
> third-party module build rebuilds mod_ssl (e.g., mod_spdy), consult the
> vendor for more information.
>
> --
> Born in Roswell... married an alien...
> http://emptyhammock.com/
> http://edjective.org/
>
>
I'll leave it at this (plus any subsequent fixes):

http://emptyhammock.blogspot.com/2014/04/apache-http-server-and-cve-2014-0160-so.html

If anyone wants http://httpd.apache.org to have something similar, we can
move/improve the text on my blog.

-- 
Born in Roswell... married an alien...
http://emptyhammock.com/
http://edjective.org/

Re: Mini-advisory on heartbeat bug on http://httpd.apache.org/ ?

Posted by Jeff Trawick <tr...@gmail.com>.

On Fri, Apr 11, 2014 at 8:56 AM, Rainer M. Canavan <
rainer.canavan@sevenval.com> wrote:

>
> On Apr 11, 2014, at 14:38 , Jeff Trawick <tr...@gmail.com> wrote:
>
> > SSL/TLS-enabled configurations of Apache HTTP Server with OpenSSL
> 1.0.1a-f are vulnerable to CVE-2014-0160, the so called "Heartbleed Bug."
> >
> > No Apache HTTP Server fix is needed to resolve this; no Apache HTTP
> Server configuration change besides disabling SSL/TLS completely can
> resolve this.  Instead, a patch to OpenSSL, a rebuild of OpenSSL with the
> TLS Heartbeat extension disabled, or an upgrade of OpenSSL to 1.0.1g or
> later is required.
> >
> > If you obtain OpenSSL in binary form with or without Apache HTTP Server,
> contact the supplier of the binary for resolution.  If you build OpenSSL
> yourself, refer to the OpenSSL project for further information, including
> the advisory at http://www.openssl.org/news/secadv_20140407.txt .
>
> mod_spdy comes bundled with a script that builds mod_ssl.so with a
> statically linked
> OpenSSL. Other people may have done the same, or even with a mod_ssl built
> statically
> into apache. For those, just updating OpenSSL may be insufficient to fix
> the heartbleed
> bug.
>
> rainer

Hmmm...  mod_ssl could be linked statically with OpenSSL, mod_spdy or not.
 Yeah it is more complicated, but that makes it even more useful to explain.

--/--

httpd and mod_ssl must be rebuilt with the new OpenSSL when OpenSSL is
statically linked with mod_ssl.  Note:  The build of mod_spdy may rebuild
mod_ssl in this manner.

If you are using a commercial product based on Apache HTTP Server, consult
the vendor for information about the applicability of CVE-2014-0160 to your
server.  If you are otherwise using mod_ssl or a replacement for it from a
third party, consult the third party for more information.  If your
third-party module build rebuilds mod_ssl (e.g., mod_spdy), consult the
vendor for more information.

-- 
Born in Roswell... married an alien...
http://emptyhammock.com/
http://edjective.org/

Re: Mini-advisory on heartbeat bug on http://httpd.apache.org/ ?

Posted by "Rainer M. Canavan" <ra...@sevenval.com>.

On Apr 11, 2014, at 14:38 , Jeff Trawick <tr...@gmail.com> wrote:

> SSL/TLS-enabled configurations of Apache HTTP Server with OpenSSL 1.0.1a-f are vulnerable to CVE-2014-0160, the so called "Heartbleed Bug."
> 
> No Apache HTTP Server fix is needed to resolve this; no Apache HTTP Server configuration change besides disabling SSL/TLS completely can resolve this.  Instead, a patch to OpenSSL, a rebuild of OpenSSL with the TLS Heartbeat extension disabled, or an upgrade of OpenSSL to 1.0.1g or later is required.
> 
> If you obtain OpenSSL in binary form with or without Apache HTTP Server, contact the supplier of the binary for resolution.  If you build OpenSSL yourself, refer to the OpenSSL project for further information, including the advisory at http://www.openssl.org/news/secadv_20140407.txt .

mod_spdy comes bundled with a script that builds mod_ssl.so with a statically linked 
OpenSSL. Other people may have done the same, or even with a mod_ssl built statically
into apache. For those, just updating OpenSSL may be insufficient to fix the heartbleed
bug. 

rainer